Powershell script to find changes made to OU

Looking for powershell commands to see who changed an OU

We dont have AD auditing enabled and I would like to check if there is a way with powershell to see who changed it
LVL 1
Indie101Asked:
Who is Participating?
 
footechConnect With a Mentor Commented:
It's a simple answer.  No.
1
 
Indie101Author Commented:
Thanks surprised at no auditing (contracting here) i can see the time it was changed at just can't see by who
0
 
footechCommented:
Yep, if all the information about who changed what was available all the time, there would be no need to turn on auditing.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MichelangeloIndependent ConsultantCommented:
You can see the exact time in which the last change was performed and on which DC has been originated. Then you can check who obtained kerberos tickets at that time. Thats the maximum detail yoy can obtain ehen auditing is not enabled.
0
 
Indie101Author Commented:
Can you outline the steps to do that Michelangelo?
0
 
MichelangeloIndependent ConsultantCommented:
Hi indie101
basically you have to proceed as described here
https://blogs.technet.microsoft.com/heyscriptingguy/2015/07/03/use-powershell-to-find-changes-to-active-directory/
and

https://blogs.technet.microsoft.com/askpfeplat/2012/05/06/how-to-track-the-who-what-when-and-where-of-active-directory-attribute-changes-part-ii-the-case-of-the-mysteriously-modified-upn/

which is using repadmin /showobjmeta to check replication data on all DCs. Each DC will have a timestamp, earlier one is the on which recorded the change.
Upon determining that DC, you can check for kerberos tickets active in that date range in the Event Log. It is a manual process and your mileage may vary i.e. it depends on how many users were accessing the directory at that time.
Find here an example script which follows this road in examining changes to groups:

https://gallery.technet.microsoft.com/scriptcenter/Find-the-time-a-user-was-a0bfc0cf
1
 
Naveen SharmaCommented:
How to Audit Changes Made to Organizational Units (OUs) in Active Directory:
https://www.lepide.com/how-to/audit-organizational-units-changes-in-active-directory.html
0
 
MichelangeloIndependent ConsultantCommented:
Hi naveem,
This is out of context as author stated auditing is not enabled and changes haopened in the past.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.